Information security seems, at first sight, to be all about technology. Yet, as all those immersed in IT security jobs know only too well, technology is only ever part of the story.
Indeed, in June this year IBM published a report which concluded that:
“[…] ‘Human error’ was involved in more than 95 percent of the security incidents investigated in 2013.”
Such errors fall in to two broad categories: the unprompted blunder and social engineering.
One of the most notorious examples was in November 2007, when, according to BBC News:
“HM Revenue and Customs (HMRC) lost two computer discs containing the entire child benefit records, including the personal details of 25 million people – covering 7.25 million families overall.”
The discs were sent in the post from the Newcastle head office to the National Audit Office in London by a junior official, but never arrived. They have never been found.
More recently, the Serious Fraud Office admitted to losing sensitive data relating to its BAE systems investigation by sending it in the post to the wrong person over a period of months:
“The data amounted to 32,000 physical pages of text, 81 tapes of audio, and other electronic media” (Wikipedia).
Fortunately in this case, according to the SFO, at least 98 per cent of the data was recovered.
Another broad type of human error is known as social engineering, which is the process of manipulating people into behaving in ways that can (unbeknownst to them) open the door to security breaches.
One of the most widespread forms is the phishing email – a communication which looks convincing enough for the recipient to click a link through to a malign website.
Then there is deception involving direct personal contact, similar to old-fashioned con artistry. Ira Winkler, a “white hat” social engineer, recalls how he and a colleague were able to gain access to a company’s central server room, and create a new active directory account, simply by walking through the door and tricking the right people into giving them access controls.
While human error will always be with us, there are steps that can be taken to minimise risk.
Often the best preventative technique is to spend time with people acquainting them of the risks, and educating them in security best practice. Keeping things simple is essential, and a few key instructions go a long way.
Although technology is a part of the problem, it can also be part of the solution. Make sure your company has the best possible security software in the market – software which minimises as far as possible the involvement of employees.
Finally, make the most of hardware developments. For instance, an ‘easy win’ is to acquire mobile devices that include fingerprint recognition, which can be substituted for pass-codes.
All in all, minimising human error is an ongoing but by no means a losing battle. There is plenty that can be done through lively, supportive communication.